Conducting a vulnerability assessment of your organisation’s security posture and calling it a day is like exploring your house for possible entry points that burglars might use, getting a handyman to beef up the security by installing new locks and security screens, only to then have your new neighbours make off with the house silver and your wife’s pearls after a cup of tea.
In other words, knowing vulnerabilities in your network only solves half the problem. Knowing how these vulnerabilities may be exploited by cyber criminals and how much damage they might cause gives you the complete picture and allows you to develop a truly resilient security posture.
A test by any other name…
The problem is that while being worlds apart, Vulnerability Assessments (VA) are frequently confused with Penetration Tests (pen tests for short). The terms are often incorrectly used interchangeably, and some security companies market vulnerability scans as pen tests, further adding to the confusion that results in wasted resources for many organisations. Knowing the difference between two of these services is critical when hiring an outside firm to test the security of your infrastructure or a particular component of your network.
So what exactly is the difference between the two? Well, a vulnerability assessment is an in-depth evaluation of your information security posture which seeks to identify and quantify cyber security vulnerabilities in your organisation. This is done by using an off-the-shelf software package, such as Nessus or OpenVAS to scan an IP address or range of IP addresses for known vulnerabilities. A report is then produced by the software that lists discovered vulnerabilities and (depending on the software and options selected) will give an indication of the severity of the vulnerability and basic remediation steps.
There’s more to the story.
Now, a pen test is a completely different kettle of fish. It actively simulates the actions of an external and/or internal cyber attacker that aims to breach the information security of the organisation. As an example, let’s say a website is vulnerable to Heartbleed. It’s one thing to run a scan and say “you are vulnerable to Heartbleed” and a completely different thing to exploit the bug and discover the depth of the problem and find out exactly what type of information could be revealed if it was exploited. This is the main difference – the website or service is actually being penetrated, just like a hacker would do.
During a pen test, a pen tester may use the output of a vulnerability scan to exploit a discovered vulnerability in order to determine the possible amount of damage to an organisation if this weakness is compromised by a real attack. Alternatively, depending on the scope, a pen test can expand beyond the network to include social engineering attacks or physical security tests. Penetration tests can be carried out on IP address ranges, individual applications, or even as little information as a company name. The level of access you give an attacker depends on what you are trying to test.
So what SHOULD you be doing?
The bottom line is that penetration tests alone will only give you a snapshot of your security program’s effectiveness. Similarly, when performed on their own, vulnerability assessments and employed scans may produce a number of false positives and discover only those vulnerabilities that the security community, hackers and software vendors are already familiar with. In a rapidly evolving threatscape, those vulnerabilities that are unknown to the public at large will not be identified by these scans. This is where a good pen tester, with out-of-the box thinking comes in.
Most organisations should start with a vulnerability assessment, act on its results to the best of their abilities and then have a penetration test performed. Utilising vulnerability assessments and penetration testing together provides enterprises with a more comprehensive security evaluation than any single test alone. Using the combined approach gives an organisation a more detailed view of the threats facing its applications and networks, enabling the business to better protect its systems and data from malicious attacks.
What to know more on how a Penetration Test or Vulnerability Assessment can help your company’s cyber security? Get In Touch today for a chat with one of our security experts and we’ll help you find the right solution.
Read Our Latest Blogs